BitLocker, the encryption technology built into Windows, has taken some hits lately. A recent exploit demonstrated removing a computer’s TPM chip to extract its encryption keys, and many hard drives are breaking BitLocker. Here’s a guide to avoiding BitLocker’s pitfalls.
Note that these attacks all require physical access to your computer. That’s the whole point of encryption—to stop a thief who stole your laptop or someone from gaining access to your desktop PC from viewing your files without your permission.
Standard BitLocker Isn’t Available on Windows Home
While nearly all modern consumer operating systems ship with encryption by default, Windows 10 still doesn’t provide encryption on all PCs. Macs, Chromebooks, iPads, iPhones, and even Linux distributions offer encryption to all their users. But Microsoft still doesn’t bundle BitLocker with Windows 10 Home.
Some PCs may come with similar encryption technology, which Microsoft originally called “device encryption” and now sometimes calls “BitLocker device encryption.” We’ll cover that in the next section. However, this device encryption technology is more limited than full BitLocker.
How an Attacker Can Exploit This: There’s no need for exploits! If your Windows Home PC just isn’t encrypted, an attacker can remove the hard drive or boot another operating system on your PC to access your files.
The Solution: Pay $99 for an upgrade to Windows 10 Professional and enable BitLocker. You could also consider trying another encryption solution like VeraCrypt, the successor of TrueCrypt, which is free.
BitLocker Sometimes Uploads Your Key to Microsoft
Many modern Windows 10 PCs come with a type of encryption named “device encryption.” If your PC supports this, it will be automatically encrypted after you sign into your PC with your Microsoft account (or a domain account on a corporate network). The recovery key is then automatically uploaded to Microsoft’s servers (or your organization’s servers on a domain).
This protects you from losing your files—even if you forget your Microsoft account password and can’t sign in, you can use the account recovery process and regain access to your encryption key.
How an Attacker Can Exploit This: This is better than no encryption. However, this means that Microsoft could be forced to disclose your encryption key to the government with a warrant. Or, even worse, an attacker could theoretically abuse a Microsoft account’s recovery process to gain access to your account and access your encryption key. If the attacker had physical access to your PC or its hard drive, they could then use that recovery key to decrypt your files—without needing your password.
The Solution: Pay $99 for an upgrade to Windows 10 Professional, enable BitLocker via the Control Panel, and choose not to upload a recovery key to Microsoft’s servers when prompted.
Many Solid State Drives Break BitLocker Encryption
Some solid-state drives advertise support for “hardware encryption.” If you’re using such a drive in your system and enable BitLocker, Windows will trust your drive to do the job and not perform its usual encryption techniques. After all, if the drive can do the work in hardware, that should be faster.
There’s just one problem: Researchers have discovered that many SSDs don’t implement this properly. For example, the Crucial MX300 protects your encryption key with an empty password by default. Windows may say BitLocker is enabled, but it may not actually be doing much in the background. That’s scary: BitLocker shouldn’t be silently trusting SSDs to do the work. This is a newer feature, so this problem only affects Windows 10 and not Windows 7.
How an Attacker Could Exploit This: Windows may say BitLocker is enabled, but BitLocker may be sitting idly by and letting your SSD fail at securely encrypting your data. An attacker could potentially bypass the badly implemented encryption in your solid-state drive to access your files.
The Solution: Change the “Configure use of hardware-based encryption for fixed data drives” option in Windows group policy to “Disabled.” You must unencrypt and re-encrypt the drive afterward for this change to take effect. BitLocker will stop trusting drives and will do all the work in software instead of hardware.
TPM Chips Can Be Removed
A security researcher recently demonstrated another attack. BitLocker stores your encryption key in your computer’s Trusted Platform Module (TPM,) which is a special piece of hardware that’s supposed to be tamper-resistant. Unfortunately, an attacker could use a $27 FPGA board and some open-source code to extract it from the TPM. This would destroy the hardware, but would allow extracting the key and bypassing the encryption.
How an Attacker Can Exploit This: If an attacker has your PC, they can theoretically bypass all those fancy TPM protections by tampering with the hardware and extracting the key, which isn’t supposed to be possible.
The Solution: Configure BitLocker to require a pre-boot PIN in group policy. The “Require startup PIN with TPM” option will force Windows to use a PIN to unlock the TPM at startup. You will have to type a PIN when your PC boots before Windows starts up. However, this will lock the TPM with additional protection, and an attacker won’t be able to extract the key from the TPM without knowing your PIN. The TPM protects against brute force attacks so attackers won’t just be able to guess every PIN one by one.
Sleeping PCs Are More Vulnerable
Microsoft recommends disabling sleep mode when using BitLocker for maximum security. Hibernate mode is fine—you can have BitLocker require a PIN when you wake your PC from hibernate or when you boot it normally. But, in sleep mode, the PC remains powered on with its encryption key stored in RAM.
How an Attacker Can Exploit This: If an attacker has your PC, they can wake it and sign in. On Windows 10, they may have to enter a numeric PIN. With physical access to your PC, an attacker may also be able to use direct memory access (DMA) to grab the contents of your system’s RAM and get the BitLocker key. An attacker could also execute a cold boot attack—reboot the running PC and grab the keys from RAM before they vanish. This may even involve the use of a freezer to lower the temperature and slow that process down.
The Solution: Hibernate or shut down your PC rather than leaving it asleep. Use a pre-boot PIN to make the boot process more secure and block cold boot attacks—BitLocker will also require a PIN when resuming from hibernation if it’s set to require a PIN at boot. Windows also lets you “disable new DMA devices when this computer is locked” through a group policy setting, too—that provides some protection even if an attacker gets your PC while it’s running.
If you’d like to do some more reading on the subject, Microsoft has detailed documentation for securing Bitlocker on its website.